Improve Central Package Management, update dependencies and fix package validation/MSBuild warnings #15362
Conversation
… replace Microsoft.CSharp with Microsoft.CodeAnalysis.CSharp
| @@ -17,6 +16,7 @@ | |||
| <WarningsAsErrors>nullable</WarningsAsErrors> | |||
| <ImplicitUsings>enable</ImplicitUsings> | |||
| <GenerateDocumentationFile>true</GenerateDocumentationFile> | |||
| <WarnOnPackingNonPackableProject>false</WarnOnPackingNonPackableProject> | |||
There was a problem hiding this comment.
This removes the following warning: This project cannot be packaged because packaging has been disabled. Add <IsPackable>true</IsPackable> to the project file to enable producing a package from this project., which is correct, as we don't want some projects (like Umbraco.Web.UI) to generate a NuGet package.
| <ItemGroup> | ||
| <PackageReference Include="Nerdbank.GitVersioning" Version="3.6.133" PrivateAssets="all" IsImplicitlyDefined="true" /> | ||
| <PackageReference Include="StyleCop.Analyzers" Version="1.2.0-beta.507" PrivateAssets="all" IsImplicitlyDefined="true" /> | ||
| <PackageReference Include="Umbraco.Code" Version="2.0.0" PrivateAssets="all" IsImplicitlyDefined="true" /> | ||
| <PackageReference Include="Umbraco.GitVersioning.Extensions" Version="0.2.0" PrivateAssets="all" IsImplicitlyDefined="true" /> | ||
| </ItemGroup> |
There was a problem hiding this comment.
These package dependencies are moved to a GlobalPackageReference in Directory.Packages.props.
| @@ -2,47 +2,69 @@ | |||
| <Project> | |||
| <PropertyGroup> | |||
| <ManagePackageVersionsCentrally>true</ManagePackageVersionsCentrally> | |||
| <NoWarn>NU1507</NoWarn> | |||
| <CentralPackageTransitivePinningEnabled>true</CentralPackageTransitivePinningEnabled> | |||
There was a problem hiding this comment.
This allows us to specify package versions for transitive packages and takes care of promoting them to a top-level dependency when necessary.
| <PackageVersion Include="K4os.Compression.LZ4" Version="1.3.6" /> | ||
| <PackageVersion Include="MailKit" Version="4.3.0" /> | ||
| <PackageVersion Include="Markdown" Version="2.2.1" /> | ||
| <PackageVersion Include="MessagePack" Version="2.5.140" /> |
There was a problem hiding this comment.
MessagePack has been updated from 2.5.129 to 2.5.140: https://github.com/MessagePack-CSharp/MessagePack-CSharp/releases/tag/v2.5.140
| <PackageVersion Include="OpenIddict.Abstractions" Version="4.10.1" /> | ||
| <PackageVersion Include="OpenIddict.AspNetCore" Version="4.10.1" /> | ||
| <PackageVersion Include="OpenIddict.EntityFrameworkCore" Version="4.10.1" /> |
There was a problem hiding this comment.
OpenIddict has been updated from 4.10.0 to 4.10.1: https://github.com/openiddict/openiddict-core/releases/tag/4.10.1
| <PackageVersion Include="Microsoft.AspNetCore.Mvc.NewtonsoftJson" Version="8.0.0" /> | ||
| <PackageVersion Include="Microsoft.AspNetCore.Mvc.Razor.RuntimeCompilation" Version="8.0.0" /> | ||
| <PackageVersion Include="Microsoft.CodeAnalysis.CSharp" Version="4.8.0" /> |
There was a problem hiding this comment.
Microsoft.CSharp has been replaced by Microsoft.CodeAnalysis.CSharp, which is an updated version (part of https://github.com/dotnet/roslyn/, instead of the archived https://github.com/dotnet/corefx repo).
| <PackageVersion Include="System.IO.FileSystem.AccessControl" Version="5.0.0" /> | ||
| <PackageVersion Include="System.Security.Cryptography.Pkcs" Version="8.0.0" /> | ||
| <PackageVersion Include="System.Threading.Tasks.Dataflow" Version="8.0.0" /> | ||
| <PackageVersion Include="System.ComponentModel.Annotations" Version="5.0.0" /> | ||
| <PackageVersion Include="System.Reflection.Emit.Lightweight" Version="4.7.0" /> |
There was a problem hiding this comment.
These package references were previously added to fix a security vulnerability, but are now obsolete again...
| <!-- NPoco.SqlServer brings in a vulnerable version of Azure.Identity --> | ||
| <PackageVersion Include="Azure.Identity" Version="1.10.4" /> | ||
| <!-- Umbraco.Code depends on an outdated Microsoft.CodeAnalysis.CSharp.Workspaces version--> | ||
| <PackageVersion Include="Microsoft.CodeAnalysis.CSharp.Workspaces" Version="4.8.0" /> | ||
| <!-- Dazinator.Extensions.FileProviders brings in a vulnerable version of System.Net.Http --> | ||
| <PackageVersion Include="System.Net.Http" Version="4.3.4" /> |
There was a problem hiding this comment.
We might want to create issues/PRs to fix these outdated transitive dependencies.
| <Title>UmbracoPackage</Title> | ||
| <Description>...</Description> | ||
| <PackageTags>umbraco plugin package</PackageTags> | ||
| <RootNamespace Condition="'$(name)' != '$(name{-VALUE-FORMS-}safe_namespace)'">UmbracoPackage</RootNamespace> | ||
| <ManagePackageVersionsCentrally>false</ManagePackageVersionsCentrally> |
There was a problem hiding this comment.
This was part of the distributed project template (for packages and new Umbraco projects)!
There was a problem hiding this comment.
I guess the rootnamespace should be. Also the other one did not do any harm, due to the fact we was not using centrallized packages for those
There was a problem hiding this comment.
The root namespace is still there, just moved to a different property group 😉 We don't know whether the template is used to create a new project within a solution that already uses CPM and we also don't want the project to opt-out if you enable it later either!
| <!-- Enable multi-level merging --> | ||
| <Import Project="$([MSBuild]::GetPathOfFileAbove(Directory.Packages.props, $(MSBuildThisFileDirectory)..))" /> |
There was a problem hiding this comment.
This ensures the global packages are also used for the tests, since they are not added in Directory.Build.props anymore...
Prerequisites
Description
PR #15293 added Central Package Management, but the
Directory.Packages.propsfile was split between thesrcandtestsdirectories, still disabled it for some projects (using<ManagePackageVersionsCentrally>false</ManagePackageVersionsCentrally>, instead of usingVersionOverride), didn't use global package references and transitive pinning...This PR contains the following (currently for v13, so needs to be merged back):
Umbraco.Cms.Imaging.ImageSharp2uses version overrides to pin the major to v2src\Directory.Packages.propsis moved to the root andtests\Directory.Packages.propsinherits from this file (by manually importing the parent file as documented)GlobalPackageReference, ensuring they are only used as a development dependencyMicrosoft.CSharpis replaced withMicrosoft.CodeAnalysis.CSharp, which is the .NET Standard 2.0/.NET 6 equivalent version that is kept up-to-dateUmbraco.Cms.Infrastructuredoesn't have a dependency onNPoco.SqlServer, but only onNPocoWarnOnPackingNonPackableProjectandNU1507has been addressed by adding anuget.configfile with a package source mapping<LangVersion>11.0</LangVersion>is removed, so the default is used again (which is C# 12 for .NET 8)